From 55e78a1fe80bbe322933d3ba3c6065ed59fb4ada Mon Sep 17 00:00:00 2001
From: Colm O hEigeartaigh <coheigea@apache.org>
Date: Thu, 22 Nov 2018 15:51:10 +0000
Subject: [PATCH] ZOOKEEPER-3235 - Enable secure processing and disallow DTDs
 in the SAXParserFactory

---
 .../src/main/java/org/apache/jute/XmlInputArchive.java          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
index 99e11d10eaf..a4ae9381c3a 100644
--- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
+++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
@@ -143,6 +143,8 @@ public XmlInputArchive(InputStream in)
         valList = new ArrayList<Value>();
         DefaultHandler handler = new XMLParser(valList);
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         SAXParser parser = factory.newSAXParser();
         parser.parse(in, handler);
         vLen = valList.size();